Bug 293 – Segmentation fault with nonexistant uid

Bug 293 - Segmentation fault with nonexistant uid


Summary:	Segmentation fault with nonexistant uid

Status:	RESOLVED FIXED

Product:	Sudo
Classification:	Unclassified
Component:	Sudo
Version:	1.6.9
Hardware:	PC Linux

Importance:	normal normal
Assigned To:	Todd C. Miller

URL:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2008-06-30 18:43 MDT by Ben Millwood
Modified:	2008-11-05 20:04 MST (History)
CC List:	0 users

See Also:

Attachments
abort on uid not found (550 bytes, patch) 2008-06-30 18:44 MDT, Ben Millwood	Details \| Diff
Avoid following NULL pointer in -i mode (2.00 KB, patch) 2008-07-01 08:18 MDT, Todd C. Miller	Details \| Diff
Fill in more passwd data when running as a non-existent uid (1.14 KB, patch) 2008-07-01 12:19 MDT, Todd C. Miller	Details \| Diff
backtrace (1.49 KB, text/plain) 2008-07-01 12:36 MDT, Ben Millwood	Details
Show Obsolete (2) Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ben Millwood 2008-06-30 18:43:28 MDT

Discovered on 1.6.9p10, tested on 1.6.9p17 - specifying a uid with -u #num causes a segmentation fault when the specified uid does not exist:

$ sudo -u \#-1 -i
Segmentation fault

I'm not sure under exactly which contexts the bug is triggered, but I can't reproduce it with the patch I'm about to attach applied.

Comment 1 Ben Millwood 2008-06-30 18:44:47 MDT

Created attachment 225 [details]
abort on uid not found

Sorry, I didn't realise when filing the bug that I could make attachments on the first post.

Comment 2 Todd C. Miller 2008-07-01 08:18:16 MDT

Created attachment 226 [details]
Avoid following NULL pointer in -i mode

This only affects the -i flag so there's no need to remove support for running commands as arbitrary uids.  The attached patch will detect the non-existent shell and error out appropriately.

Comment 3 Ben Millwood 2008-07-01 10:39:54 MDT

On my machine I get a segmentation fault on this too:

ben@euler:~/software/sudo-1.6.9p17$ ./sudo -u \#-1 pwd
Segmentation fault

The gdb backtrace is identical, and the patch I attached still fixed the issue.

Not everywhere I tested DOES segfault with this command or a similar one (although they do with -i), but on the only other machine I could try this, a debug build from the latest source had the issue while the builtin sudo (version 1.6.9p12) did not.

Comment 4 Todd C. Miller 2008-07-01 11:59:32 MDT

As I am unable to reproduce the problem could you please attach the gdb backtrace?

Comment 5 Todd C. Miller 2008-07-01 12:19:33 MDT

Created attachment 227 [details]
Fill in more passwd data when running as a non-existent uid

Perhaps this will work better.

Comment 6 Ben Millwood 2008-07-01 12:36:48 MDT

Created attachment 228 [details]
backtrace

Your newest patch fixes the issue (even with -i, which is pretty useful, thanks!) as far as I can tell, but I attached the backtrace you asked for anyway just in case.

I'd suggest that it might be wise to print a warning, at least, when the UID given doesn't match any existing user and so we are using 'fabricated' details.